Skill

analyzing-ransomware-network-indicators

From asi

Analyzes Zeek conn.log and NetFlow data to detect ransomware indicators including C2 beaconing, TOR exit node connections, data exfiltration, and DNS patterns. For threat hunting and incident investigations.

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Before and during ransomware execution, adversaries establish C2 channels, exfiltrate data, and download encryption keys. This skill analyzes Zeek conn.log and NetFlow data to detect beaconing patterns (regular-interval callbacks), connections to known TOR exit nodes, large outbound data transfers, and suspicious DNS activity associated with ransomware families.

SKILL.md

Similar Skills

analyzing-ransomware-network-indicators

5.9k

Analyzes Zeek conn.log and NetFlow data to detect ransomware indicators: C2 beaconing, TOR connections, data exfiltration, DNS patterns, and risk scoring.

3 files

cybersecurity-skills

analyzing-ransomware-network-indicators

Analyzes Zeek conn.log and NetFlow data to detect ransomware indicators: C2 beaconing patterns, TOR exit node connections, data exfiltration, and encryption key exchanges.

3 files

cybersecurity-skills-zh

detecting-beaconing-patterns-with-zeek

Analyzes Zeek conn.log connection intervals for C2 beaconing patterns using ZAT to load data into Pandas, computes inter-arrival time std dev, flags low-jitter beacons for threat hunting.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Analyzing Ransomware Network Indicators

Overview

When to Use

When investigating security incidents that require analyzing ransomware network indicators

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Zeek conn.log files or NetFlow CSV/JSON exports

Python 3.8+ with standard library

TOR exit node list (fetched from Tor Project or threat intel feeds)

Optional: Known ransomware C2 IOC list

Steps

Parse Connection Logs — Ingest Zeek conn.log (TSV) or NetFlow records into structured format

Detect Beaconing Patterns — Calculate connection interval statistics (mean, stddev, coefficient of variation) to identify periodic callbacks

Check TOR Exit Node Connections — Cross-reference destination IPs against current TOR exit node list

Identify Data Exfiltration — Flag connections with unusually high outbound byte ratios to external IPs

Analyze DNS Patterns — Detect DGA-like domain queries and high-entropy subdomains

Score and Correlate — Apply composite risk scoring across all indicator types

Generate Report — Produce structured report with timeline and MITRE ATT&CK mapping

Expected Output

JSON report with beaconing detections and interval statistics

TOR exit node connection alerts

Data exfiltration flow analysis

Composite ransomware risk score with MITRE mapping (T1071, T1573, T1041)